2724 |
CHAPTER 33. INSTRUMENTATION CYBER-SECURITY |
33.1.6Stuxnet version 1.x
Subsequent versions of Stuxnet have been labeled as version 1.x and are treated here as one major release. A summary of Stuxnet versions 1.x appears here:
•Infection point: The infection begins with files written to a removable drive (e.g. USB flash drive), automatically run by the Windows operating system upon connection to a personal computer. The infection is then able to spread from one Windows PC to another over networks using multiple Windows vulnerabilities.
•Dropper vector: Exploit multiple “zero day10” vulnerabilities in Windows XP and Vista operating systems to aggressively propagate the virus over computer networks, then infect any Siemens Step 7 project files found on those computers.
•Payload target: Siemens S7-315 programmable logic controllers (PLCs) regulating centrifuge rotor speeds.
•Payload vector: Install a DLL (Dynamically Linked Library) file in the Siemens Step 7 software library collection designed to alter any Step 7 programming code downloaded to a PLC, inserting attack code in the infected PLCs.
•Payload task: Change rotor speeds over time so as to make them pass through their “critical speed” range.
•Goal: Increase stress on operating centrifuges, leading to premature failure. Again, avoid catastrophic cascade failure which would raise suspicion.
•Stop date: June 24, 2012.
33.2Motives
There are multiple motives for compromising the security of an industrial control system, some of which overlap motives for attacking IT systems, and some of which are unique to the industrial world. This section details some of the reasons why people might wish to attack an industrial control system.
10The term zero-day in the digital security world refers to vulnerabilities that are unknown to the manufacturer of the software, as opposed to known vulnerabilities that have been on record with the manufacturer for some time. The fact that Stuxnet 1.x employed no less than four zero-day Windows exploits strongly suggests it was developed by an agency with highly sophisticated resources. In other words, Stuxnet 1.x wasn’t made by amateurs. This is literally world-class hacking in action!
33.2. MOTIVES |
2725 |
33.2.1Technical challenge
Computer experts tend to be a demographic of people motivated by technical challenges and problemsolving. To this type of person, the challenge of breaking in to a computer system designed to foil intruders may be too tempting to resist.
To the person interested in compromising a digital system just for the sake of seeing whether it can be done, the reward is in achieving access, not necessarily inflicting any damage. These people are generally not a direct threat, but may pose an indirect threat if they share their expertise with others harboring sinister motives.
Other individuals motivated by the technical challenge of accessing a digital system are interested in seeing just how much havoc they can wreak once they gain access. Such individuals are analogous to digital arsonists, interested in starting the biggest fire that they can simply for the sake of the fire’s size.
33.2.2Profit
The major motive driving IT cyber-attacks today is profit: the theft of credit card and other sensitive digital information which may be sold on the black market. Criminal organizations benefit from this style of digital attack, with many attackers becoming millionaires by way of their digital exploits.
Another form of profit-driven attack is commonly called ransomware, where an attacker inserts malicious software on the victim’s computer(s) preventing access to the system or encrypting files such that they become unusable. This malware then presents a message to the victim asking for monetary payment in exchange for normal system access.
Neither of these attacks is novel to industrial systems, and in fact are commonplace in the IT world. What is novel in industrial systems is the severity of the repercussions. One might imagine the response from an oil drilling rig’s management team to ransomware preventing startup-up of a new oil well, where downtime may be in the range of millions of US dollars per day of production. Not only is the imperative to get back online stronger than it would be for a private individual whose home computer was being held ransom, but the ability for an oil company to immediately pay the attacker is much greater than any private individual.
Another potential application of the profit motive in industrial system attacks is commodities trading. Traders who profit from the purchase and sale of commodities produced by industrial manufacturers might stand to gain by knowing the day-to-day operational status of those manufacturers. If such people were to access the production and inventory logs residing in a facility’s digital control system, for example, they may be able to make more profitable trading decisions based on this privileged information. Eavesdropping on industrial control system data therefore poses another mode of insider trading.
2726 |
CHAPTER 33. INSTRUMENTATION CYBER-SECURITY |
33.2.3Espionage
Aside from gathering data from industrial systems for the direct purpose of profit, less direct motives for attacking industrial control systems exist. One such motive is the theft of proprietary process data, for example recipes and formulae for producing chemical products such as craft foods and drinks, as well as pharmaceuticals.
Special control strategies and process designs critical to the manufacture of certain products are valuable to competing organizations as well. A chemical company eager to discover how to control a temperamental new chemical reaction process might wish to sample the controller algorithms and instrument configurations used by a successful competitor. Even if these design details were not stolen outright, the attacker may gather valuable test data and learn from the developmental mistakes of their competitor, thereby saving time and money pursuing their own design.
Militaries also stand to gain from espionage of industrial measurement and control systems, since the military capabilities of other nations are founded on industrial-scale operations. A country interested in tracking the development of an adversary’s nuclear weapons potential, for example, would have a motive to perform digital espionage via the control systems of those foreign nuclear facilities.
33.2. MOTIVES |
2727 |
33.2.4Sabotage
Here, at least in my view, is where cyber-security as it relates to industrial control systems becomes really interesting. The major factor distinguishing digital control system security from IT system security is the former’s supervision of a real physical process. This means a control system cyberattack has far more direct potential for harm than any IT cyber-attack.
Corporations and nation-states both have an interest in industrial sabotage if it means they may diminish the economic productivity of a competitor. A country, for example, whose export market is dominated by a single product may be tempted to launch cyber-attacks against facilities producing that same product in other countries, as a means to either maintain or elevate their power in the world economy. Corporations have the exact same interest, just at a di erent level within the global economy.
Certain activists may also have an interest in sabotaging an industrial facility. Shutting down production of a facility they deem dangerous or unethical, or perhaps just causing the company financial loss through poor product quality and/or non-compliance, are potential motivators for activists to target specific industrial processes.
Military interest in industrial sabotage is practically a “given” assumption, as such a cyber-attack merely constitutes a new type of weapon to add to their existing arsenals. Unlike conventional weapons, cyber-weapons are relatively inexpensive.
Another category of sabotage relevant to cyber-attacks is that perpetrated by malicious insiders. This last category is especially troubling, as it involves personnel with in-depth knowledge of the digital systems in question. This simple fact makes defense against such attacks extremely challenging, because these are people normally authorized to access the system and therefore are able to bypass most (if not all) security measures. A few notable examples of internal sabotage are listed here:
•Secret agents of foreign nations
•Recently discharged (former) employees
•Disgruntled employees within a corporation
The destructive potential of a government operative with access to critical systems needs no further explanation. Employees, however, do. An employee who gets laid o or fired may still have access to their former employer’s critical systems if their system account is not promptly closed. The same is true if the company maintains a lax password policy, such as multiple people sharing a common user account. Even current employees may be motivated to sabotage their employer’s systems, especially where there might be an economic advantage11 to doing so.
11Consider what forms of sabotage striking employees might be willing to do in order to gain leverage at the bargaining table.